Hey there!
My service (main server guard) got raided today, because someone found out the url, and spammed us… Result: My web application went down.
So, I now want to find a way to verify wether it’s someone with a browser, or other software, or it is roblox.
Thanks in advance for any ideas!
Anything Roblox can send to identify itself as Roblox a malicious user can replicate.
In terms of a Roblox server request it will add the place id.This is what I get but still it not going to help much.
Can you explain in more detail how this service is used.
Hi there, thanks for the reply! I searched a bit more on the web, and saw that roblox also sents a “roblox-id” as header. Is it always there, and always the same?
Thanks for your reply!
@Kampfkarren Is right. Your best bet may just be to pass a secret code when sending the HTTP request on ROBLOX and confirming the code on your site. That would be better than just blinding accepting all requests.
Hey there! My service allows my node.js application to create a channel in my discord. This will create a way to chat between discord and roblox, without leaving any.
Although, somehow somebody got to know the url and spammed it tonight.
You mentioned something about that place id, can headers be replicated with software?
Thanks in advance,
Jonas.
Yes. Your browser is doing it right now.
Anything Roblox can do a malicious user can copy.
Oof. But sending a secret code won’t work either, as there appear to be programs which “record” network usage from roblox, so I cannot include anything in the request which helps verifying the request. 
I would be very wary about this o.o
To explain someone would have to gain access to the roblox server to get the http url or gain access to your bot to exploit the system. At no point are any of these http request made public to the client.
Weird, then how did they get my current url, if it’s not exposed?
Are you sure it was not leaked. Http requests from the server are shown in the dev console for users with the ability to run code.
Yes, I am sure. I am the only one that knows it.
I guess so. What if you just prevent the spamming by having a timeout if there are too many requests coming in?
We can’t, our service has to be operational all the time.
What do you mean by “my service”, exactly? Is this something developers can use?
No, it is something people can insert into their game, which will then allow their players to call a moderator at any time, whenever they need one.
As said before, this isn’t possible as a malicious user can copy.
As for Spynaz’s suggestion, you don’t timeout your entire server, only the ip which the request is originating from. You’ll have to manage your usage in your roblox script to ensure you don’t go over whatever limit you setup, though.
Alright, thanks.
Why’d you say no? The answer seems to be yes.
If it’s something developers can put into their game, then there’s nothing you can really do about people finding your URL.
It’s encoded code. They can’t see it.
